Embed Size (px)
Citation preview
GridSecCon 2015
…..Protect the Grid….
October 14, 2015
Dennis P. Gilbert, Jr.
Director, Information & Cyber Security
Corporate & Information Security Services
Exelon Corporation: Who We Are
One of the largest U.S. competitive power generators
32,000 MW of owned capacity
Largest U.S. nuclear fleet
Renewables - wind and solar
Retail and wholesale sales through Constellation
Approximately 2.5 million residential, public sector and
business customers
Three utilities delivering electricity and natural gas to more than 7.8 million customers: - BGE in Maryland - ComEd in Illinois - PECO in Pennsylvania
PECO: At-a-Glance
2
PECO is the largest electric and
natural gas utility in Pennsylvania.
Based in Philadelphia, PECO is a
subsidiary of Exelon Corporation,
the nation’s leading competitive
energy provider.
1.6 million: Electric Customers
508,000: Natural Gas Customers
2,100 square miles: Service Territory
1,067 miles: Transmission Line
8,851 miles: Underground Distribution Cable
12,971 miles: Aerial Distribution Line
472: Substations
12,000 miles: Natural Gas Transmission, Distribution &
Service Lines
Threats to Our Sector are Real…..and Growing
3
Cyber
Threat
Physical
Threat
Combined
Threat
Insider
Threat
Nation-states
• Military - APT
• Economic Espionage
• Theft of Trade Secrets
Terrorism / Activism
• Service Disruption
• Web Defacement
• Disinformation/Scandal
• Distributed Denial of
Service (DDoS)
Criminals
• Identity Theft
• Credit Card / Financial
Theft
• Information Theft
• Extortion
• Inside Information
Nation-states
• Military Action
Terrorism / Activism
• Service Disruption
• Kidnapping/Ransom
• Extortion
• Protest
• Civil Disturbance
Criminals
• Theft
• Extortion / Blackmail
• Vandalism
• Workplace Violence
• Fraud
• Embezzlement
• Information Theft
• Sabotage
• Theft
• Workplace Violence
• Insider Trading
• Electromagnetic
disruption
• Joint Physical/Cyber
Attack
THREATS
4
NON-NUCLEAR
GENERATION
OFFICE LOCATIONS
FACTORS FOR CONSIDERATION
GAS FACILITIES
TRANSMISSION
DISTRIBUTION
Cyber Security Foundational Elements
Cyber Security Foundational Elements
Counter-
measures
Situational Awareness
IT & Security Operational Excellence
Defensible Architecture
Cyber Security Awareness
CS Foundational Elements based on work published by Josh Corman when with Akamai
5
NON-NUCLEAR
GENERATION
OFFICE LOCATIONS
FACTORS FOR CONSIDERATION
GAS FACILITIES
TRANSMISSION
DISTRIBUTION
Cyber Security Foundational Elements
Cyber Security Foundational Elements
Counter-
measures
Situational Awareness
IT & Security Operational Excellence
Defensible Architecture
Cyber Security Awareness
Know
Yourself
Know Your
Adversary
CS Foundational Elements based on work published by Josh Corman when with Akamai
Understanding Adversary Classes - Actors
6
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Actors
Retribution
Understanding Adversary Classes - Motivations
7
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Retribution
Understanding Adversary Classes - Actions
8
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Denial of
ServicePhishing Rootkit SQLi Trojans Exploit Exfiltration
Brute
ForceMalware Physical
Actions
Retribution
Understanding Adversary Classes - Assets
9
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Denial of
ServicePhishing Rootkit SQLi Trojans Exploit Exfiltration
Brute
ForceMalware Physical
Actions
Credit Card
InfoWeb Sites
Intellectual
PropertyUsers PII Infrastructure
Business
Assets
User
Devices
Customer
Lists
Assets
Retribution
Understanding Adversary Classes - Outcomes
10
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Denial of
ServicePhishing Rootkit SQLi Trojans Exploit Exfiltration
Brute
ForceMalware Physical
Actions
Credit Card
InfoWeb Sites
Intellectual
PropertyUsers PII Infrastructure
Business
Assets
User
Devices
Customer
Lists
Assets
ReputationCustomer
Impact
Revenue
Loss
Regulatory
Fines
Competitive
disadvantageDistractions Branding Sabotage Fraud
Outcomes
Retribution
Understanding Adversary Classes and Their Actions
11
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Denial of
ServicePhishing Rootkit SQLi Trojans Exploit Exfiltration
Brute
ForceMalware Physical
Actions
Credit Card
InfoWeb Sites
Intellectual
PropertyUsers PII Infrastructure
Business
Assets
User
Devices
Customer
Lists
Assets
ReputationCustomer
Impact
Revenue
Loss
Regulatory
Fines
Competitive
disadvantageDistractions Branding Sabotage Fraud
Outcomes
Retribution
Understanding Adversary Classes and Their Actions
12
Nation
StatesCompetitors
Organized
Crime
Script
KiddiesHacktivists
Insider
ThreatTerrorists
Financial
Actors
Industrial Military Ideological Political Prestige
Motivations
Denial of
ServicePhishing Rootkit SQLi Trojans Exploit Exfiltration
Brute
ForceMalware Physical
Actions
Credit Card
InfoWeb Sites
Intellectual
PropertyUsers PII Infrastructure
Business
Assets
User
Devices
Customer
Lists
Assets
ReputationCustomer
Impact
Revenue
Loss
Regulatory
Fines
Competitive
disadvantageDistractions Branding Sabotage Fraud
Outcomes
Understanding Threat Actions – the Cyber Kill Chain™ (CKC)
13
Recon Weaponization Delivery Exploitation InstallationCommand
Control (C2)Actions on Objectives
Identification
of vulnerable
systems via
information
collection and
probing
Attack
created to
exploit
identified
vulnerabilities
Transmission
of attack to
vulnerable
system
Execution of
attack against
identified
vulnerability
Attacker-
controlled
code is
executed on
target system
Compromised
system
communicates
with attacker
for commands
Execute
operations
objective on
target system
The CKC identifies the 7 stages of an attack that must be completed by an adversary to achieve a desired outcome
Operational efficiencies can be achieved by mitigating an attack as early in the CKC as possible,
resulting in significantly lower costs than having to Respond and Recover
Applying the CKS to both IT and OT can inform, focus, and strengthen your associated
People, Process, and Technology investments
The Cyber Kill Chain was created by the Lockheed Martin Company and is Trademarked
Cyber Kill Chain (CKC)… To Inform Program Activities
Identification
of vulnerable
systems via
information
collection and
probing
Attack created
to exploit
identified
vulnerabilities
Transmission
of attack to
vulnerable
system
Execution of
attack against
identified
vulnerability
Attacker-
controlled
code is
executed on
target system
Compromised
system
communicates
with attacker
for commands
Execute
operations
objective on
target system
You can leverage technology to provide visibility and mitigation at each stage of the CKC
Enable EMET
Collect Host
Logs
Monitor for
unpatched
vulnerabilities
Tune Gateway
Capabilities
Enable IPS
Features
Collect
additional Log
Data
Monitor and
report
anomalies
Inspect denied
access
attempts
AppLocker
SysMon
Reduce
Privileges
AppLocker
Sys Mon
Reduce
Privileges
Monitor for
anomalies
Restrict
Egress TrafficN/A
You may be able to apply more effort with existing technology to maximize your investments.
AntiVirus
DFIR Tools
Sysinternals
Splunk Logs
Email/Web
Network Sec
AntiVirus
Custom Tools
Splunk Logs
Network Sec
IDS/IPS
Custom Tools
Email/Web
Firewalls
DFIR tools
Sysinternals
AppLocker
Splunk Log
Data
Honeypots
IDS
Custom Tools
Firewalls
Splunk Logs
EMET
Sysinternals
Scanning
Tools
Splunk Logs
Threat
Intelligence
Feeds
Recon Weaponization Delivery Exploitation InstallationCommand
Control (C2)Actions on Objectives
14
15
FACTORS FOR CONSIDERATION
Concluding Thoughts
• A strategic approach to establishing and maturing ICS Security programs
creates operations and cost efficiencies
• History shows a determined threat actor will always get in…..eventually
• But….an enterprise can detect and mitigate adversary actions by leveraging:
• Intelligence,
• People, Processes, and Technology, and
• Understanding of the Cyber Kill Chain
• Don’t neglect cybersecurity fundamentals, while chasing the “shiny new tools!”
• Prepare for a breach: exercise your Incident Response Plan…often
• Lastly, ICS Security Programs mature over time
Thank You!
